Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

Trailrunner7 writes "Robert Hansen, a security researcher and CEO of SecTheory, has been gleaning intelligence from professional attackers in recent months, having a series of off-the-record conversations with spammers and malicious hackers in an effort to gain insight into their tactics, mindset and motivation. 'He's not the type to hack randomly, he's only interested in targeted attacks with big payouts. Well, the more I thought about it the more I thought that this is a very solvable problem for bad guys. There are already other types of bad guys who do things like spam, steal credentials and DDoS. For that to work they need a botnet with thousands or millions of machines. The chances of a million machine botnet having compromised at least one machine within a target of interest is relatively high.' Hansen's solution to the hacker's problem provides a glimpse into a business model we might see in the not-too-distant future. It's an evolutionary version of the botnet-for-hire or malware-as-a-service model that's taken off in recent years. In Hansen's model, an attacker looking to infiltrate a specific network would not spend weeks throwing resources against machines in that network, looking for a weak spot and potentially raising the suspicion of the company's security team. Instead, he would contact a botmaster and give him a laundry list of the machines or IP addresses he's interested in compromising. If the botmaster already has his hooks into the network, the customer could then buy access directly into the network rather than spending his own time and resources trying to get in."

Business does require a certain amount of trust, but it's amazing how money talks. For example, the conversation might go like this:

"Uh, I don't trust you but I want to search your botnet. Strictly for research purposes.""I'm trustworthy. I control such-and-such handle over at such-and-such forum. I'm going to post '(some message)' in 5 minutes -- that proves it. But my botnet is expensive. Can you pay?"
"Yeah, here's a paypal gift to prove I have funds.""Ok, I'm listening. What do you want?"
(And the negotiation goes on from there.)

This is an Apple-like vertical integration of services (but for botnets). The same guy who has "owned" the hardware offers "other services" on his "platform." I couldn't keep a straight face as I typed that.

This particular problem already exists - and yet there are online exchanges to buy/swap/sell credit card information, bank account info etc. The risk is sold off - so if a guy has 1000 bank accounts (+pin + atm card number etc) with an average of $10,000 on each of them, he sells it to someone who will actually do the hard work at say $20 per account.

Your argument would be the same at the exchanges too... but they exist and thrive. So, a botnet selling cloud computing power is not far fetched.

If I am a security guy for some entity that I fear may contain compromised systems, and potentially be the target of more focused attacks, I can use this hypothetical "botnet stock exchange" to verify my suspicions. "So, I'm interested in buying access to hosts within OWN_IP_BLOCK, anybody have some?" If no, breath slightly easier. If yes, I now know which of my hosts need serious inspection and rebuilding.

Depending on exactly how the exchange is run, basic checks(ie. botnet or no botnet, not necessarily specific hosts) might well be cheap or even free. You don't have much of a market if people can't ask "Is anybody selling X?" and receive a useful answer. More specific answers would probably cost you, as would the services of the sorts of grey hats who work for white hats but can talk to black hats; but there are certainly circumstances where it could be cost effective.

> I'm interested in buying access to hosts within OWN_IP_BLOCK, anybody have some?

Can this be mitigated? Is it realistic? Will you know how it was compromised?

A primary means black hats use to measure trust for purchases is repeat sales to the same buyer (for differing needs) and maybe some illegal activity e.g. paid via illegal means (to filter out anyone that is constrained to only legal means). Passing those tests is difficult (although possible by professional white-hat-consultants, however white h

Agreed. My first thought after reading the title was a large network of machines making microsecond stock purchases and sales with other machines, hoping that its algorithms are good enough to turn a profit. Some senior British official proposed a small fee per stock transaction to prevent that from happening, claiming that it would hurt the "buy and hold" stock purchasers, but I hadn't heard anything for a while. Samsonite? I was way off!

As best as I understand it that is pretty close to how real stock exchanges work. You don't necessarily sell shares just by saying you want to, someone else has to be prepared to buy them at the price you're asking. Nor can you buy them without someone offering to sell. The stock exchange keeps tracks of these offers and provides a mechanism to resolve them (OK, so there are stock brokers involved too, but this basic concept is how it works).

He's not the type to hack randomly, he's only interested in targeted attacks with big payouts.

Yeah, whatever. If I was an evil cracker I'd be damn sure to randomly target machines so I could use them for my targeted attacks. And I'd want a lot of them so I could bounce the attack through them to make it more difficult to find me.

If anything, if this guy was such a great cracker/hacker, wouldn't he already know about the percentages? Cracking any single specific machine is difficult. Cracking any random mach

So you have just hired a bot master. How do you pay them? You know they are dirty hackers, so it isn't like you would just give them your credit card number or Pay Pal account. Maybe the guy just wakes up and finds a crate of Jolt and Hot Pockets on his doorstep.

That would require physical access to the botnet-master (risky) or knowledge of the physical whereabouts of said person (risky again).

No, I'd much rather set up a paypal account with a fake firm in Tonga, linked to another fake firm on the Cayman Isles. It's apparently impressively difficult to get any information out of Tonga regarding business owners, whatever their background. The same goes for the Cayman Isles. And you could always route it again through Tonga, for double fun. And you wouldn't even have to leave your house. And the best news: there are already providers for it. [offshore-p...sional.com]

The site you refer to doesn't seem to even provide a Tonga service. I also notice they pretend to be a country in themselves when marketing their Casino license service. Regretfully this field also has a lot of "black hats" operating within it, not necessarily these guys, yet the indications are there. When shopping for services like that its always better to look at vendors that operate from a slightly better regulated jurisdiction, like for example Cyprus. Here is an example http://www.internetincorporat [internetincorporate.com]

If there's a growing number of Vista and Win 7 machines then someone shouldget back to MS and let them know whatever they're doing ain't working.

OS gains popularity, users on said OS want to see their dancing bunnies.

An operating system is only as secure as the user behind it. I'd guarentee most of the people around here could run a secure, stable Windows system AND be productive on it. But these are the same people who know to surf with adblock, noscript, a firewall and NOT go looking for dancing bunnies

To trade stocks in the first place? Buy some penny stocks/junk bonds whatever and get/steal/buy enough logins to various brokerages than just pump the price at an opportune time, take the money and run.

This happens on a rather frequent basis. I work on a trading desk which sees some retail customer order flow. Every now and then fraudulent pump and dump stocks come to our attention. Its usually not too hard to figure out that some order for 5x the average daily volume in a penny stock is fraudulent. Not to hard to track down the customer to give them a call and find out that they had no idea their account was broken into. A much more effective way is to send the orders a few hundred or thousand share

I've been spending more and more time talking to blackhats lately. Frankly, I think they're fascinating people

They are criminals who steal from people. Fascinating people? How sick.

Glamorizing thieves and moral creeps is sending a wrong message especially to young people. If it were up to me I would lock this Robert Hansen into a jail together with his "blackhats" thieves and thrown away the key. This is where he and they belong.

It is counter-productive for a security researcher to not be fascinated by these people. Your moralizing the issue only holds back any meaningful gathering of knowledge that can be used to mitigate the harm that blackhat hackers can cause to legitimate people. There is a time and place for us to objectively learn more about their culture, technology, and economy for our own well being.

1. Regardless of your knee-jerk reaction to being interested in how "bad people" think, they ARE fascinating, and often very fruitful to study.2. Assuming you didn't RTFA, I don't see anywhere where he glamorizes black hats.3. This is akin to a cop going undercover to find out how criminals operate, you think they should be tossed in jail too?

Security research REQUIRES you to think like the "bad guys", it just comes with the territory.

This is a cop, who has an official, documented undercover task, but this man is a civilian associating with criminals on his own will. It is his duty to report the crime in progress.

Otherwise any gang member could say: "I am a sociologist. I was studying the way murderers and thieves operate and think. This is why I was on the crime scene."

Where does Hansen say he was "present at the crime scene"? I assume his contacts didn't give him any incriminating details, so what crimes in progress does he have a duty to report? If he did participate in any crimes, then he is obviously culpable. Otherwise it is a similar situation to a reporter interviewing a criminal, though again a security researcher is lacking the special protections reporters get for that sort of thing.

Probably you are lucky and were not a victim of these bot-nets and trojans' writers. But these are just about the same crime tools as picklock, gun, ax, etc. And these people are robbers, who just use some other tools.

No, I've had systems compromised quite a few times before I knew any better,

I've had systems compromised quite a few times before I knew any better, and had to clean up after many people who have had their systems compromised as well. Although if you mean I haven't been a "serious victim" I guess you are correct, though that wouldn't change my attitude about it. Not studying the problem is a sure-fire way to remain vulnerable to it.

Security technology alone cannot protect against this crime, the same way as a helmet and bullet-resistant vest cannot protect by itself, the same as a steel reinforced door cannot protect by itself.

The law enforcement and our rejection of this type of criminal behavior are necessary too. These people are not Robin Hoods, they are thieves, who steal from families and destroy companies. And it is a pity that a "security professional" associates with them.

I find your moral reasoning lacking. What, you think that he'l "turn to the dark side"? That professional mercenary botnet/malware distributors actually care about "professional admiration" and will up their ante because of it? What is it that makes fascination with evil/amoral people inherently "wrong"?

"The head of the Department of Post-Mortem Communications shrugged and sighed. ‘Look,’ he said, as if weary of having to explain so often, and sighed again. ‘I am supposed to be the bad person as defined by university statute, right? I am supposed to listen at doors. Supposed to dabble in the black arts. I’ve got the skull ring. I’ve got the staff with the silver skull on it—’
‘And a joke-shop mask?’ said Glenda.
‘Quite serviceable as a matter of f

But these are just about the same crime tools as picklock, gun, ax, etc. And these people are robbers, who just use some other tools.

Whoa, whoa, hold on there a minute!

The botnet is "just about the same" as a stolen gun, a stolen axe, stolen lockpicks, etc. Generic tools have no inherent moral dimension; lockpicks can be used to save a baby locked in a burning building, an axe can be used to build a house for a homeless person, a gun can be used to defend against criminals or to hunt for food.

Look, I hate to break it to you - "security researchers" are basically crackers with morals who, for obvious reasons, would like to live in civilized society without being ostracized. A lot of "them" go "a tad bit" neurotic because of the inherent contradictions in this, but that's how it is. And if you're incapable of feeling more than one emotion towards a thing, concept or person, you're severely emotionally underdeveloped.

He's reposting word for word what happens on a daily basis and its his model? Is anyone else slightly confused by this?

Though TFA does at least mention "This model makes sense on a number of levels and may well have been implemented already."

Theres even underground exchanges between the various botnet holders to some extent. If botnet controller A does not have enough(or any) compromised machines related to a target in one of his customers shopping lists he'll go to botnet controller B, C, or d-z in order t

All wealth is created in arbitrage. All wealth arises in the differences between what I know, what I can do, what I want to do and what you know, what you can do and what you want to do. If you hand over your target information, you've closed the gap so much that profit will disappear altogether -- especially if the botnet owner involved figures out what he can gain from the target.

That's absolute nonsense (unless you're going to use a definition of 'wealth' gamed to mean 'something created in arbitrage'). It's easily proved wrong by simple thought experiments. If I make a chair, I am wealthier by one chair. It doesn't matter whether or not anyone else is willing to pay for the chair. You may be able to argue that if I need something I can't make for myself that the financial system I have to rely on to get has arbitrage as an int

The concept seems sound and trades are not uncommon in the cracker world but this is not the problem.
- "How do you know that your system is secure?"
- "Aaaa, I have an antivirus and broadband router that is handling my Internet connection. That should keep me safe"
- "Ok. And why are there all those ports opened on your router?"
- "Well, I'm forwarding everything through it in order to be able to play _______" (Insert game name here)
- "I see. Ok."
An antivirus and a firewall will not help you if you are

If it were that simple that one was free of an implied warranty by being non-commercial there would be no point in putting a disclaimer of warranty in the licenses of FOSS software. The issue, though, isn't as clear as you would like it to seem.

Microsoft and its suppliers provide the Software and support services (if any) AS IS AND WITH ALL FAULTS, and hereby disclaim all other warranties and conditions, whether express, implied or statutory, including, but not limited to, any (if any) implied warranties, duties or conditions of merchantability, of fitness for a particular purpose, of reliability or availability, of accuracy or completeness of responses, of results, of workmanlike effort, of lack of viruses,

Oh, I'm not talking about what it is, I'm talking about what it should be, legally. And EULAs are not above the law. In fact, EULAs (presented after the sale, as in this case) are not even valid in some countries, like Germany.

It would be interesting if enough unsophisticated users who unknowingly run bots decided that something like the iPad is "good enough" for them and they got rid of their PC. I say would be because it's not going to happen.

even app signing wouldn't work, it would ahve to be open enough to allow small outfits to produce code, and would need to allow dev to test run their code prior to the app signing. Both of those are holes, whats to stop a hacker from making a legit app and then using the same cert on both it and the malware?

*nix without admin rights, and their home dir mounted no_exec with backup taken every 6 hours, admined by dell/HP/etc. No way to install a new app, and no way to run something from the home dir, probl

*nix without admin rights, and their home dir mounted no_exec with backup taken every 6 hours, admined by dell/HP/etc. No way to install a new app, and no way to run something from the home dir, problem solved.

I guess we need to add the criteria of 'user needs to be productive'.

You can do that in Windows as well, by the way. GPOs and NTFS permissions are wonderful little toys.

Windows is no more secure than Linux, or whatever hippie OS you're into. Any OS as popular as Windows is going to get the crap hacked out of it, the only reason Linux (assuming you're into that, but substitute it for whatever you like) is 'more secure' is because your grandmother doesn't open.exe attachments on it.

Mostly because developers (including large companies) would refuse to distribute their software via such a model

Why? They can set up their own repositories, and the software would warn user about updates. They don't have to rely on distros' repositories.

It's true that they would have to make multiple packages, but that's not exactly astrophysics, and can easily be automated in the build process. And the repository itself is usually little more than an HTTP server with a particular directory layout.

It's not quite that simple. Proving that a product as complex as a consumer-level GUI operating system is bug-free and secure is in general an undecideable problem.

We can't even prove that our critical, lower-level embedded software (aerospace, health-related, etc) is bug-free, and this is why there is substantially more effort put into ensuring that such software is of high quality. For example there are extensive regulations [wikipedia.org] on how exhaustively testing must be done on various components of an aviation-r

We are making Toyota responsible for all the incidents, and possible future incidents with their acceleration issues, aren't we? Why not hold microsoft responible for their own products too?

You mean other than the fact that the EULA you agree to when using Windows says that Microsoft disclaims all warranties and Toyota has no such contractual agreement with purchasers of their car? And before you go on about being able to ignore that and claiming EULAs are unenforceable (which is a common slashdot meme but it is wrong) then you would have to say that any such disclaimers in FOSS software would be null and void too thus opening them up to being held responsible for any bugs in their software.